Tuesday, June 12, 2012

Article 29 Working Party Publishes Opinion on Exemptions for Cookies

by Mehmet Munur

The Article 29 Working Party published an opinion (WP194)
today on the exemptions to the consent requirement for cookies or similar technologies under the
revised E-Privacy Directive. The Working Party elaborated on types of cookies that
may not require consent under certain circumstances, such as cookies that track
user’s input on forms or shopping carts and cookies that store users’ language
preference. Most importantly, the Working Party stated that first-party
analytics cookies are not likely to create privacy risks when they are strictly
limited to first-party aggregated statistical purposes, provide clear notice about
these cookies in their privacy policy, and provide adequate privacy safeguards.
While the Working Party deems such cookies not to be strictly necessary for the
operation of a website, they also admit that the privacy risks are limited when
they are configured properly.

The Working Party elaborated on the two exceptions to
consent under Article 5.3 of the amended E-Privacy Directive 2009/136/EC.
Under the Directive, service providers may only store information, or gain
access to information already stored, on equipment if the user has given consent
after having been provided with clear and comprehensive notice. The first
exception to the consent requirement is information stored for the sole purpose of carrying out the transmission
of a communication over an electronic communications network. The second
exception to the consent requirement is information strictly necessary for provision
of services explicitly requested by the user.

With regard to in construing the first exception, the Working
Party stated that the following elements may be helpful:

1) The ability to route the
information over the network, notably by identifying the communication
endpoints.

2) The ability to exchange data
items in their intended order, notably by numbering data packets,

3) The ability to detect
transmission errors or data loss.

Therefore, cookies or similar technologies that fall in any
of the above criteria should satisfy the exception to the consent requirement.

With regard to construing the second exception and due to
the complexities in what constitutes the service, the Working Party stated that
the following elements should be met:

1) A cookie is necessary to provide
a specific functionality to the user (or subscriber): if cookies are disabled,
the functionality will not be available.

2) This functionality has been
explicitly requested by the user (or subscriber), as part of an information
society service.

The Working Party then moved to the terminology relating to
cookies and created some distinctions between session cookies, persistent
cookies, first-party cookies, and third-party cookies. Importantly, the Working
Party stressed that they would be moving away from the distinction between first-party
and third-party cookies as used in the browsers. Most web browser settings
would classify a cookie placed on a user’s device by the domain visited by the
user as a first-party cookie and any cookie placed by another domain as a
third-party cookie. The Working Party uses a slightly different definition. Using
the definition of the third-party under the Directive to state that cookies
that are placed on a user’s device “to describe cookies that are set by data
controllers that do not operate the website currently visited by the user.” On
the other hand, first-party cookies “refer to a cookie set by the data
controller (or any of its processors) operating the website visited by the
user, as defined by the URL that is usually displayed in the browser address
bar.”

In order to determine whether the cookie is strictly
necessary, the service provider must determine the lifespan of the cookie,
whether it is session based or persistent, and the purposes of the processing.
Therefore, the Working Party creates a continuum where first-party session
cookies may be strictly necessary whereas third-party persistent cookies may
not be. However, the Working Party stresses that these distinctions must be
used in conjunction with the purposes of the cookies in order to determine
whether consent is required.

The Working Party then discussed different examples of cookie
use scenarios that may be exempt from the consent requirements.

User Input cookies:
Looking at session cookies that track user’s inputs on a webpage, the Working
Party stated that these cookies would likely not require consent.

Authentication
cookies: The Working Party came to a similar conclusion for sessions based authentication
cookies. However, persistent cookies for logins would require consent.

User centric security
cookies: User centric and user requested security cookies, for example
those related to log in attempts, would also not require consent. However, this
may not be the case for other cookies relating to the security of the website.

Multimedia player
sessions cookies: Default flash player cookies may also not require consent
to the extent they relate to technical data such as image quality, network link
speed and buffering parameters. However, they should be session cookies.

Load balancing
session cookies: Sessions based cookies used to balance users across
different servers is likely not to require consent, either.

UI customization
cookies: Session or persistent cookies relating to the user’s preference
over language or appearance may also not require consent, mostly because the
user shows his preference by clicking on a box or link to set these
preferences. However, notice relating to the use of cookies may be required for
persistent cookies.

Social plug-in
cookies: The Working Party states that consent may be required from users
who are not logged into the service or are not customers of the service. However,
consent may not be required for users that are logged in and are requesting the
service.

In addition to the above examples relating to the exempt cookies,
the Working Party stated that the following cookies would not be exempted from
the consent requirement: social plug-in
tracking cookies, third-party advertising
cookies, and first-party analytics
cookies. To the extent that these cookies are used for the tracking of the
individual, consent would be required. With regard to the first-party analytics
cookies, the Working Party stated that these cookies “are not likely to create
a privacy risk when they are strictly limited to first-party aggregated
statistical purposes and when they are used by websites that already provide
clear information about these cookies in their privacy policy as well as
adequate privacy safeguards.” These safeguards should include a method for
opting out and anonymization of identifiable information such as IP addresses. Therefore,
first-party analytics cookies with the appropriate privacy controls would
likely not require consent even though they are not in an exempted category. The
Working Party notes, however, that the privacy risks relating to third-party analytics
cookies that track users across websites are higher and would require consent.

This opinion from the Working Party opinion falls in
line with the latest
opinions from the UK ICO and the CNIL.
The ICO and the Working Party appear to have taken a step back from the strict interpretation
of the amended E-Privacy Directive that would require informed consent even for
first-party analytics. In fact, the Working Party now calls for a revision of
the Directive to explicitly allow for

This long awaited opinion from the Working Party brings some
more detail around the difficult challenges faced by most companies in complying
with the revised E-Privacy Directive. It does not negate the need to conduct audits
and due diligence relating to cookies and similar technologies used by companies. It does, however, make first-party
analytics cookies easier to implement.

Thursday, June 07, 2012

Employee Use of P2P Software Results in FTC Enforcement Actions

By Mehmet Munur

The Federal Trade Commission announced that it
brought two separate enforcement actions against a debt collector and a car
dealership because of the unauthorized sharing of sensitive personal
information through P2P network software installed by their employees. As is common in
most FTC enforcement actions, the companies will be required to cease misrepresentations
about privacy and security of personal information, maintain a comprehensive
information security program, and submit to third-party security audits for 20
years. These enforcement actions, once again, point to the importance of having
privacy policies that align with privacy practices and the importance of having
reasonable security practices in place.

The FTC complaint
against the debt collector, EPN, alleges that it collected personal information
without reasonable and appropriate security. EPN collected name, address, date
of birth, gender, Social Security number, employer address, employer phone
number, and in the case of healthcare clients, physician name, insurance
number, diagnosis code, and medical visit type from its clients for debt
collection purposes. EPN’s Chief Operating Officer installed a P2P application
on its systems. One of its clients found the files shared on the same network
and alerted EPN about it. In fact, EPN shared through this P2P application
information about 3800 individuals. EPN did not have a business need for the
application. FTC stated that EPN did not have an incident response plan, risk
assessment, measures against P2P software use by its employees, and procedures
for detecting unauthorized access to personal information. FTC alleged that
these were unfair and deceptive practices under the FTC act.

It is interesting that the FTC did not point to a privacy
policy for representations relating to the privacy and security of the
information collected by EPN—even though EPN, doing business as Checknet, Inc.,
has a website privacy policy.
However, the privacy policy does not have an effective date and it may have been
added after the FTC investigation began.

The FTC
complaint against the car dealer, Franklin’s Budget Car Sales, alleges that
the dealership shared a privacy
notice with its customers stating that it would restrict access to non-public
personal information and that it maintained physical, electronic, and
procedural safeguards that complying with federal regulations. The dealership then
collected personal information such as names, Social Security numbers,
addresses, telephone numbers, dates of birth, and drivers’ license numbers from
consumers. FTC also alleges that the dealership did not provide an annual
notice. Currently, Franklin Toyota’s website privacy policy
shows the model privacy
clauses—instead of a web privacy policy. They are also still the model
form—without some of the choices for creating the form having been made. FTC
alleges that the dealership failed to put into place reasonable security
procedures—similar to EPN’s alleged failures. As a result of those failures, information
relating to 95,000 consumers was shared on the P2P networks. Therefore, the FTC
alleged violations of the Section 5 of the FTC Act (for misrepresenting its
privacy and security measures in its privacy notice), Safeguards Rule of the
GLBA (for failing to implement reasonable security practices), and the Privacy
Rule of the GLBA (for failure to send annual privacy policies).

Both companies agreed to similar terms as a result of these
complaints. The consent order with the
dealership requires it not to misrepresent its privacy, security, and
confidentiality of personal information it collects nor violate GLBA. It also requires
the dealership to designate an employee accountable for information security,
conduct a risk assessment, design and implement reasonable safeguards, among
other things. The dealership must also submit to third-party assessments once every
two years for 20 years. The debt collector’s consent
order is similar—but for the GLBA requirements.

There are several lessons to be learned from the enforcement
actions—some new, some old.

First, the enforcement action highlights the importance of
having a privacy policy and abiding by the letter and spirit of that privacy
policy to avoid an enforcement action under the FTC Act. Google,
Facebook,
Twitter
and others ran into this same trap of having a privacy policy that did not
align with their privacy and security practices.

Second, failure to have reasonable security without making any
representations regarding the importance of privacy and security to an
organization can still result in an enforcement action—especially where the
harm to consumers may include sharing of sensitive personal information. Here,
the FTC seemed perturbed by the fact that some of the personal information
shared with the P2P networks may never be taken out of circulation due to the decentralized
nature of P2P networks. In fact, some of this information likely included
information relating to healthcare procedures.

Finally, the FTC appears to be following a “study, report,
then bring enforcement actions” plan for topics of interest—as any reasonable
regulator should. In the P2P space, the FTC obtained comments and looked at consumer
protection and competition issues in a 2005 staff report.
More recently, the FTC completed a study on widespread data
breaches as a result of P2P software use by businesses in 2010 and notified
about 100 organizations. The FTC also published guides for consumers
and businesses
relating to the P2P software use. Then, the FTC had an enforcement action against
Frostwire LLC for the default settings in the P2P software that shared too
much personal information. Now, the FTC brings this enforcement action against
businesses that cause breaches due to the use of P2P software. The FTC has been
following a similar study-report-bring-enforcement-actions plan with mobile privacy,
mobile payments, and behavioral advertising issues. Therefore, I would expect more
enforcement actions in those fields as a result of the plan FTC has been
carrying out in this P2P area.

These latest enforcement actions are reminders that
businesses must pay attention to their privacy and security practices or risk
being subject to onerous consent orders prescribing privacy and security programs.

This web site provides general information about our firm for your convenience. This website and its content do not establish an attorney/client relationship between us. Information on the site is not legal advice.
Do not send confidential information to any of our lawyers without first obtaining our permission.